Parser Inability to Enable

adem_netsys · ‎05-15-2024

Hi,

I have installed an agent on my windows 2008 R2 machine and I am getting the logs here but the logs are not parsed because the raw message is split into several parts, to try to fix this I disable the default parser but it does not test and does not produce a positive / negative output. I do not encounter such a problem in my test environment. When I want to validate the rule in the default, it gives an error in the xml, but it was working before, it is not possible to have an error because it is the system parser.

samdharar · ‎05-15-2024

I'm also facing the same problem on ForiSIEM 7.1.3, the testing goes on forever and can't enable the custom parser.

adem_netsys · ‎05-17-2024

@samdharar

Did you find a solution or is the situation the same?

samdharar · ‎05-17-2024

It goes on still, even when trying to enable previously tested parsers. So its sure that its not behaving this way due to some error in the parser. Its something wrong with the FortiSIEM nodes/appliances. I do get a proxy error few seconds after I start the testing for the parser.

KarlH · ‎10-28-2024

Linking my issue here. I cannot get my parser to enable validation passes and testing passes Does Fortinet have any explanation? other then its wonky I cannot follow the steps in the 7.1.3 user guide. they don't work. It's an endless loop of validating and testing.

https://community.fortinet.com/t5/FortiSIEM-Discussions/Cannot-Enable-a-new-parser-which-passes-vali...

Karl Henning, Security Engineer, CISSP

Parser Inability to Enable

Nominate a Forum Post for Knowledge Article Creation